The so-called third party certification is the highest level of certification, which enables a client to ensure, through the intervention of an independent, competent and supervised professional, known as a certification body, the compliance of a product with a specifications document or technical specifications.
Third party certification provides the client with independent and impartial confirmation that a product complies with a specification document or published technical specifications. These technical specifications may or may not be drafted within a normative framework.
The decree 2002-535
dated 18 April 2002 relating to the evaluation and certification of the security offered by information technology products describes the French certification framework for security products and systems.
The French Network and Information Security Agency (ANSSI) is responsible for examining certifications according to the directives given by the certification management committee.
Certification is based on evaluation studies conducted by laboratories licensed by the French Prime minister and accredited by the French accreditation committee (COFRAC) according to the standard NF EN ISO/CEI 17025. These laboratories are commonly referred to as Information Technology Security Evaluation Facilities
(ITSEF). The evaluations are conducted in accordance with specifications or standards specified by the ANSSI.
Certificates issued by the ANSSI by delegation from the Prime minister certify that the certified products comply with a technical specification referred to as the security target.
This security target may itself be certified in accordance with a specification document referred to as the protection profile. The protection profile is used to express high-level requirements and may be shared by a community of interests such as the banking, healthcare, transport community, etc.
Certified products or systems may bear the “IT Security Certification” mark below:
By virtue of the international agreements signed by the ANSSI
, the certificates issued may be recognised outside France.
The certificate certifies, on the day of signature, the compliance of a specific version of a product or system with the requirements listed in its security target.
To extend confidence in this compliance over time or facilitate the certification of the upgrades of a previously certified product, the certification body offers certificate maintenance packages.
The evaluation and certification procedures
, specifications and standards
specified by the ANSSI are published on this site.
Contact certification body: certification.anssi [at] ssi.gouv.fr